/ Technology

Hackers: should we condemn or embrace them?

A spate of hacker attacks has hit consumer confidence hard with one in five Britons claiming they’ve lost faith in large organisations. Our opinion of hackers isn’t any better, though perhaps we’re too hard on them?

Forty per cent of respondents to a survey by PC Tools think hacking is never justified, regardless of the motive; two-thirds view hackers as criminals and one in three Brits think they’re anti-social.

If anything I’m surprised these figures aren’t higher. Over the past year there’s been a series of high-profile hacks that have seen personal details stolen from innocent web users – such as the attack on Sony’s PlayStation Network that exposed users to identity theft, and an attack on Travelodge’s customer database.

Are hackers always to blame?

The perception is that there is an underground army of hackers out there laying claim to your personal data. But is that true?

A separate report from security firm Imperva sheds some light on the motivation and intention that drives hackers. The company monitors underground hacker forums and in its latest report reveals the top seven attacks discussed online last year. The top three are: SQL injections, DDoS attacks and spam or junk email.

The first two represent definite strikes at the heart of the large organisations we’ve lost faith in. SQL injections aim to exploit software bugs while in a DDoS attack hackers flood the networks of big businesses with traffic in a bid to take them down.

Only one side of the story

I’d never condone these actions. Like most people I’ve bought goods from a variety of online retailers, have an online bank account and a webmail account. Were any of these to be attacked it would present a serious threat to my personal identity.

However, I don’t think hackers are all bad and, before you crash my inbox, hear me out.

Let’s take Sony’s PlayStation Network as an example. Was it awful that millions of people’s data was exposed? Yes. Has Sony enhanced security since the attack? You betcha.

And, as well as shining an unwanted spotlight on Sony, the debacle raised important questions about how customers are notified of this type of security breach. Sony drew fire from many for delaying to inform customers that their personal data might be at risk.

Lessons to be learned

Another look at Imperva’s report acts as a warning to consumers. It’s critical that big businesses invest in a belt-and-braces approach to security, but we must also do our bit.

There’s a lot of discussion within forums on “social engineering” – i.e. how to con or hustle money out of you. One of the best examples of this is the still prevalent phishing emails that purport to come from your bank and then ask you to enter your personal details.

Hacking for financial gain is wrong. It’s a crime and the authorities should fight it. But there’s a small minority of the hacking community that hacks companies to show them where they’re going wrong. Many of these people become ethical hackers and a very few end up working for the very companies they’ve hacked.

Should we tarnish all hackers with the same brush? I’d argue not.

Do you think all hackers are bad?

Yes (55%, 120 Votes)

No (38%, 84 Votes)

Don't know (7%, 16 Votes)

Total Voters: 220

Loading ... Loading ...

Well if companies took their responsibilty to data security seriously, no one would be tempted to hack as they’d be getting nowhere fast. Unfortunately most companies are run by muppets who don’t understand the problem ( and won’t listen to theose they’ve employed that do ) and only see it as an expenditure that can be cost cut. Especially as it doesnt generate revenue.

First a lot of Hackers are Computer nerds and look on hacking as an intellectual exercise to see if they can penetrate the security.

I will never use social networks because I think they are far too slack and open.

Nor will I ever answer any personal questions on-line by phone or email unless I instigate the call first. It cannot completely eliminate hacking but does go a long way to stop it.

Dave A says:
11 October 2011

Hacking covers a lot of different things. On one hand it’s breaking into security systems for financial gain, but there are many things that I use today that have been enabled by hackers. For example, dvd ripping software (which still seems a bit grey in terms of legality), my jailbroken iphone that allows me to use my work sim card in my iphone. Jailbreaking the iphone, incidentally, is what spurred Apple to allow third party apps, and provided them inspiration to create the App Store. There are many other ‘hacks’ that break in built security in the devices we use at home to allow us to use them in ways not intended by the manufacturer. The hacks use the same techniques that hackers of banking systems use. Another example is XBMC which originally was a a way of turning an xbox (original) into a media center that plugs into your tv. People still use it today.

Anonymous says:
11 October 2011

And then there are politcally motivated hackers – those who see government or corporate corruption and are otherwise helpless to expose this corruption. Would you also condemn the hacker who has gone on to shine a light on this corruption?

Here’s an obvious example of that [1] – HBGary was hacked, and it was revealed that they had a secret plan to criminally discredit a legitimate Salon journalist named Glenn Greenwald.

There’s also the wikileaks data dumps of US-government mass killings of civilians in Iraq and elsewhere. Without these hackers, we’d still be in the dark!

[1] http://www.techdirt.com/articles/20110209/22340513034/leaked-hbgary-documents-show-plan-to-spread-wikileaks-propaganda-bofa-attack-glenn-greenwald.shtml

Hackers should be given jobs and lots of praise.

They highlight all the issues that the companies have neglected due to budgetary issues, and these are security/testing issues, things that companies ALWAYS scrimp on when budget is tight.

This is why there are the 2 terms hackers and crackers where it’s the latter that simply break into systems to cause problems. The former break into systems to see if it can be done or to exercise their brains and capabilities. It may not even be breaking into someone else’s system but looking at how software/systems work to maybe use it differently or improve on it. Hacking itself should not be outlawed but a hacker is help responsible if they cause damage/cost. Cracking is another matter.

tweetiepooh raises an important point: the media have corrupted the original meaning of the term ‘hacker’, which means someone interested in learning about the inner workings of computer systems, as opposed to the casual user who sees them as a ‘black box’ and is just content with using them. The Jargon File defines the media’s usage of Hacker as the last definition, marked ‘deprecated’ on this page: http://catb.org/jargon/html/H/hacker.html .

This distinction is important because many law-abiding hackers who delve deep into their own copies of the operating system on their own computers often get the undeserved label of a computer criminal due to this confusion in the definition of the word.

… Hacking for financial gain is wrong. It’s a crime and the authorities should fight it. …

Regardless of how Which? researchers choose to define it, pretty well any of the activities described under the hacking banner is a criminal act, irrespective of financial motive.

Please read the Computer Misuse Act 1990, a law which came about precisely because earlier attempted convictions under the Forgery and Counterfeiting Act failed. (Signing onto a computer system with false credentials is an act of forgery, but without a financial motive these ancient laws were ineffective in dealing with computer attacks.)

Where even so-called “ethical” hackers go wrong is in i) knowingly attempting to circumvent security controls and then ii) leaving traces of their activity or acting on information they are not entitled to access, just to prove they’ve been there so they can revel in their success.

It’s rather like suggesting joy riders carry out a public service by demonstrating how easy it is to break into cars and thrash them around the streets for a few hours, thus leading to improvements in vehicle security and saving us all from having our cars stolen by nasty professional gangs of thieves.

Apart from the criminal nature of what most hackers do, you seem to have overlooked that we are all paying a daily price for their unauthorized and unelected activities, whether we want to not. I’ll have to assume Which? run anti-virus software on their PC systems and firewalls on their networks, but the rest of us certainly do. How much does that cost each and every one of us who uses a computer? Ever noticed how sluggish your PC is to boot up with anti-virus software running? What does that equate to in lost productivity?

… However, I don’t think hackers are all bad …

Agreed, but almost by definition, the only ethical hackers are the ones you’ve never heard of, because they don’t talk about their work or share information with others. Firstly, they do not actively and knowingly attempt to breach the security of systems they are not authorized to access, but when they think they’ve found a loophole, they report it to the responsible body concerned.

Only when that organization fails to take action in a reasonable time frame, should the information then be made public – and after balancing that decision against the risk of alerting those with criminal intent of an opportunity waiting to be tapped. Were Sony given due warning?

I do think that hackers are criminals. While companies improving the security around their systems and the data that they hold is further progress towards the ‘cure’ aspects of hacking, I think that this needs to go hand-in-hand with making the ‘prevention’ more effective i.e. identify penalties that will actually deter hacking.
As a first step towards identifying more effective penalties could be market research – actually asking hackers want matters them to most and what would deter them. Then put penalties in place that hits them ‘where it hurts’.
At the present time, it almost seems that people’s response to hacking, including the Government’s and judicial system, is one of awe and admiration. It almost seems to be, for instance, a response along the lines of ‘Did you steal this little old lady’s life savings by yourself? Aren’t you clever! We must make you a Director of IT Security in some multinational company.’
Talking of hackers, I think it’s deplorable that Julian Assange is still in Ecuador’s UK Embassy and that he has refused to meet with Swedish investigators concerning those two sexual accusations against him. He was originally detained by UK authorities, who were acting on an Interpol Red Notice, which has the weight of an international arrest warrant. Interpol would only have issued one in response to either an arrest warrant being issued or court decision being made in Sweden, to say that there were cases for Assange to answer.
After the UN committee chose to look into Assange’s situation and their findings were reported in our media, I felt like standing outside the Ecuadoran Embassy, holding up two placards: one saying ‘JULIAN, STOP DETAINING YOURSELF ARBITRARILY!’ and ‘JULIAN, LET YOURSELF GO!’.
I hope we still have police stationed outside the embassy so, should Assange just do the equivalent of ‘popping to the corner shop for a packet of fags’, he can be arrested and put on a plane to Sweden!

Crispy says:
12 April 2017

Breaking into a system for financial gain is wrong and a criminal offence. Breaking into a system to demonstrate how ineffective security, is a valuable service, and a good way of ensuring large corporates don’t neglect security for financial gain. Corporates often just looks at the bottom line restricting the spend the IT departments need to ensure security to save money often without understanding the consequences of those restrictions. These ethical hackers do a good job at holding these corporates to account.

Its like leaving the door open to your front door. The person who goes in an steals is the criminal not the person who tells you that your door is open or they find your door key under a flower pot, and then tell you of the security issue you have. What would you prefer, to know that your own security is suspect before a real criminal does a crime or to throw your hands up in the air when you are burgled expecting the insurance company to pick up the pieces who put up your premium and tell you what security you need before you are allowed to be insured again? Personally I would like to know in advance saving me time in repurchase the goods stolen and saving on the insurance premium, with out have the secondary effects of identity theft.

This comment was removed at the request of the user